[Bro] Performance questions
mtdedlow at lbl.gov
Mon Feb 5 10:30:22 PST 2007
Zachary P Reimer wrote:
> I've been testing out bro 1.1c, and am looking at putting it into
> production, but have a couple of questions about hardware and
> performance issues. I'm currently running under FreeBSD 6. The
> throughput it'll be watching won't be extremely high (~200Mb), but
> connection counts will be quite high. The main question is whether to
> get a multiprocessor/multicore box, or split out some of the traffic to
> multiple smaller boxes.
I can't say much about Bro, per se, but I recently did some performance
testing of packet capture on FreeBSD 6 (ie, all the layers beneath Bro),
and found that multiple processors do not help much. For example,
top-of-the-line dual Xeon CPUs (>$4,000 of CPU) performed ~5% better
than a single PentiumD at under $500.
I'd also note that Bro cpu load is highly dependent on policy set.
As a floor benchmark, I've seen a connection-logging only policy on
a link averaging 100-200Mbs consume about 1% cpu on a low-end single
cpu system. You can't extrapolate much from this, except to note
that the Bro core seems to place very little demand on a system.
More information about the Bro